cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Question on email alerts

About a month ago I got our email alerts working.  I'm now seeing some below alerts appear.  I was wondering if the information field is self explanatory on why the alert is appearing?

IE freespace override = ran out of space and purged logs?

Is there a document or something that would explain what these alerts mean?

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160318040233 and etime 20160318040233" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-18 04:02:33 -0500 f_kernel a_tepm t_attack p_major

pid: 1578 logid: 0 cmd: 'sfagent'

hostname: XXXX category: policy_violation

event: dom violation srcdmn: SFag

reason: OP: OP_SYS_FS_MGMT wanted perm: 0x80<rootness> granted perm: 0x0

information: ffs_alloc(): freespace override

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160317214806 and etime 20160317214806" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-17 21:48:06 -0500 f_kernel a_tepm t_attack p_major

pid: 15321 logid: 108 cmd: 'vscanupdate'

hostname: XXXX category: policy_violation

event: ddt violation srcdmn: SCDU filedom: Kern filetype: diry

reason: OP: OP_FS_WRITE perm wanted: 0x2<write> perm granted: 0x1<read>

information: dumpcore: vscanupdate.core

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160307152455 and etime 20160307152455" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-07 15:24:55 -0600 f_kernel a_tepm t_attack p_major

pid: 1778 logid: 105 cmd: 'tcsh'

hostname: XXXX category: policy_violation

event: dit violation srcdmn: User tgtdmn: Audt

reason: OP: OP_PROC_TRAN perm wanted: 0x1<trans> perm granted: 0x0

information: Exec /usr/bin/acat

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160217084609 and etime 20160217084609" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-02-17 08:46:09 -0600 f_kernel a_tepm t_attack p_major

pid: 3771 logid: 108 cmd: 'tcsh'

hostname: XXXX category: policy_violation

event: ddt violation srcdmn: User filedom: mtac filetype: scrp

reason: OP: OP_FS_EXEC perm wanted: 0x2000<exec> perm granted: 0x9<read,execute>

information: Exec /usr/bin/mailq

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community